1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-18 06:04:06 +03:00

s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels

This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.

An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.

Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2023-07-15 16:11:48 +02:00
parent 404ce08e90
commit d5f1097b62
2 changed files with 24 additions and 6 deletions

View File

@ -1,3 +1 @@
^samba3.rpc.schannel.*\.schannel\(nt4_dc
^samba3.rpc.schannel.*\.schannel\(ad_dc
^samba4.rpc.schannel.*\.schannel\(ad_dc

View File

@ -2364,6 +2364,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
struct netlogon_creds_CredentialState *creds;
NTSTATUS status;
switch (r->in.query_level) {
case 1:
break;
case 2:
/*
* Until we know the details behind KB5028166
* just return DCERPC_NCA_S_FAULT_INVALID_TAG
* like an unpatched Windows Server.
*/
FALL_THROUGH;
default:
/*
* There would not be a way to marshall the
* the response. Which would mean our final
* ndr_push would fail an we would return
* an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
*
* But it's important to match a Windows server
* especially before KB5028166, see also our bug #15418
* Otherwise Windows client would stop talking to us.
*/
DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
}
status = dcesrv_netr_creds_server_step_check(dce_call,
mem_ctx,
r->in.computer_name,
@ -2375,10 +2399,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
}
NT_STATUS_NOT_OK_RETURN(status);
if (r->in.query_level != 1) {
return NT_STATUS_NOT_SUPPORTED;
}
r->out.capabilities->server_capabilities = creds->negotiate_flags;
return NT_STATUS_OK;